CIS Benchmarks Cheat Sheet

Overview

CIS Benchmarks are consensus-based security configuration guidelines developed by the Center for Internet Security. They provide prescriptive, prioritized hardening recommendations for over 100 technologies including operating systems (Windows, Linux, macOS), cloud providers (AWS, Azure, GCP), databases, web servers, network devices, and containerized environments. Each benchmark undergoes rigorous peer review by a global community of security professionals and maps to common compliance frameworks such as NIST 800-53, PCI DSS, HIPAA, and SOC 2.

The benchmarks are organized into two implementation profiles. Level 1 recommendations are practical security measures that can be applied broadly without significant performance impact and are suitable for most organizations. Level 2 recommendations provide deeper defense-in-depth controls intended for environments requiring higher security assurance, potentially at the cost of reduced functionality or increased administrative overhead. Organizations typically use CIS-CAT Pro Assessor or OpenSCAP to automate benchmark assessment and produce compliance reports against these profiles.

Installation

CIS-CAT Pro Assessor (Licensed)

# Download CIS-CAT Pro from CIS WorkBench (requires SecureSuite membership)
# https://workbench.cisecurity.org/

# Extract the assessor bundle
unzip cis-cat-pro-assessor-v4.x.x.zip -d /opt/cis-cat

# Ensure Java 11+ is available
java -version

# Set environment variables
export CIS_CAT_HOME=/opt/cis-cat
export PATH=$PATH:$CIS_CAT_HOME

CIS-CAT Lite (Free)

# Download CIS-CAT Lite from CIS website
# https://www.cisecurity.org/cis-cat-lite

# Extract and navigate
unzip cis-cat-lite-v4.x.x.zip -d /opt/cis-cat-lite
cd /opt/cis-cat-lite

# Run the GUI assessor
./cis-cat-lite.sh

CIS Hardened Images

# AWS Marketplace - search for CIS hardened AMIs
aws ec2 describe-images \
  --filters "Name=name,Values=*CIS*" \
  --owners aws-marketplace

# Azure Marketplace
az vm image list --publisher center-for-internet-security --all

# Google Cloud
gcloud compute images list --project cis-public --no-standard-images

Core Assessment Commands

Running CIS-CAT Pro Assessor

Command	Description
`./Assessor-CLI.sh -b benchmarks/CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0.xml`	Assess Ubuntu 22.04
`./Assessor-CLI.sh -b benchmarks/ -p "Level 1 - Server"`	Assess with Level 1 Server profile
`./Assessor-CLI.sh -b benchmarks/ -p "Level 2 - Workstation"`	Assess with Level 2 Workstation profile
`./Assessor-CLI.sh -b benchmarks/ -r /reports/`	Specify report output directory
`./Assessor-CLI.sh -b benchmarks/ -html -csv -txt`	Generate multiple report formats

# Full assessment with HTML report
./Assessor-CLI.sh \
  -b benchmarks/CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0.xml \
  -p "Level 1 - Server" \
  -r /opt/cis-reports/ \
  -html

# Interactive benchmark selection
./Assessor-CLI.sh -i

# Assess remote host via SSH
./Assessor-CLI.sh \
  -b benchmarks/CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0.xml \
  -sessions sessions.properties

# Batch assessment of multiple hosts
./Assessor-CLI.sh \
  -b benchmarks/CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0.xml \
  -sessions multi-host-sessions.properties \
  -r /opt/cis-reports/batch/

Session Configuration for Remote Assessment

# sessions.properties
session.type=ssh
session.host=192.168.1.100
session.port=22
session.user=cisadmin
session.identity=/home/admin/.ssh/id_rsa
session.tech=Unix

Linux Hardening Checks

Filesystem Configuration

# Ensure /tmp is a separate partition (CIS 1.1.2)
findmnt /tmp

# Ensure nodev, nosuid, noexec on /tmp (CIS 1.1.3-1.1.5)
mount | grep /tmp
# Expected: /tmp type ext4 (rw,nosuid,nodev,noexec,relatime)

# Ensure /var, /var/tmp, /var/log are separate partitions
findmnt /var
findmnt /var/tmp
findmnt /var/log

# Disable unused filesystems (CIS 1.1.1.x)
cat /etc/modprobe.d/CIS.conf
# install cramfs /bin/true
# install freevxfs /bin/true
# install jffs2 /bin/true
# install hfs /bin/true
# install hfsplus /bin/true
# install udf /bin/true

Access Control

# Ensure permissions on /etc/passwd (CIS 6.1.2)
stat /etc/passwd
# Expected: Access: (0644/-rw-r--r--)

# Ensure permissions on /etc/shadow (CIS 6.1.3)
stat /etc/shadow
# Expected: Access: (0640/-rw-r-----)

# Ensure no world-writable files (CIS 6.1.10)
find / -xdev -type f -perm -0002 -print

# Ensure no unowned files or directories (CIS 6.1.11)
find / -xdev -nouser -print

# Ensure no ungrouped files or directories (CIS 6.1.12)
find / -xdev -nogroup -print

Network Configuration

# Ensure IP forwarding is disabled (CIS 3.1.1)
sysctl net.ipv4.ip_forward
# Expected: net.ipv4.ip_forward = 0

# Ensure ICMP redirects are not accepted (CIS 3.2.2)
sysctl net.ipv4.conf.all.accept_redirects
# Expected: net.ipv4.conf.all.accept_redirects = 0

# Ensure TCP SYN Cookies are enabled (CIS 3.2.8)
sysctl net.ipv4.tcp_syncookies
# Expected: net.ipv4.tcp_syncookies = 1

# Apply sysctl hardening
cat >> /etc/sysctl.d/99-cis.conf << 'EOF'
net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.log_martians = 1
EOF
sysctl --system

Windows Hardening Checks

Account Policies

# Export current security policy
secedit /export /cfg C:\security_baseline.inf

# Check password policy (CIS 1.1.x)
net accounts
# Minimum password length: 14
# Maximum password age: 365
# Minimum password age: 1
# Password history: 24

# Check account lockout policy (CIS 1.2.x)
net accounts
# Lockout threshold: 5
# Lockout duration: 15 minutes
# Lockout observation window: 15 minutes

# Apply security template
secedit /configure /db C:\Windows\security\local.sdb /cfg cis-baseline.inf /overwrite

Audit Policy

# View current audit policy (CIS 17.x)
auditpol /get /category:*

# Set recommended audit policies
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Security State Change" /success:enable

Configuration

CIS-CAT Pro Assessor Configuration

# assessor-cli.properties
ciscat.home=/opt/cis-cat
ciscat.reports.dir=/opt/cis-reports
ciscat.reports.html=true
ciscat.reports.csv=true
ciscat.reports.json=true
ciscat.benchmark.dir=/opt/cis-cat/benchmarks
ciscat.sessions.default.type=local

Automation with Ansible

# cis-hardening.yml
---
- name: Apply CIS Level 1 Hardening
  hosts: all
  become: true
  tasks:
    - name: Ensure permissions on /etc/passwd
      file:
        path: /etc/passwd
        owner: root
        group: root
        mode: '0644'

    - name: Ensure permissions on /etc/shadow
      file:
        path: /etc/shadow
        owner: root
        group: shadow
        mode: '0640'

    - name: Disable IP forwarding
      sysctl:
        name: net.ipv4.ip_forward
        value: '0'
        sysctl_set: true
        state: present
        reload: true

    - name: Enable TCP SYN cookies
      sysctl:
        name: net.ipv4.tcp_syncookies
        value: '1'
        sysctl_set: true
        state: present
        reload: true

    - name: Remove unnecessary packages
      apt:
        name:
          - telnet
          - rsh-client
          - nis
        state: absent
      when: ansible_os_family == "Debian"

Advanced Usage

CIS Controls Mapping

# Map benchmark recommendations to CIS Controls v8
# CIS Control 4: Secure Configuration of Enterprise Assets and Software
# Maps to: Most Level 1 and Level 2 benchmark items

# CIS Control 5: Account Management
# Maps to: Section 5 (Access, Authentication, Authorization)

# CIS Control 8: Audit Log Management
# Maps to: Section 4 (Logging and Auditing)

# Generate mapping report
./Assessor-CLI.sh \
  -b benchmarks/CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0.xml \
  -p "Level 1 - Server" \
  -r /opt/cis-reports/ \
  -html \
  -D ciscat.report.controls.mapping=true

Continuous Compliance Monitoring

# Cron job for daily assessment
cat >> /etc/cron.d/cis-assessment << 'EOF'
0 2 * * * root /opt/cis-cat/Assessor-CLI.sh \
  -b /opt/cis-cat/benchmarks/CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0.xml \
  -p "Level 1 - Server" \
  -r /opt/cis-reports/daily/ \
  -csv -html 2>&1 | logger -t cis-cat
EOF

# Parse CSV results for trend analysis
awk -F',' '{print $1","$2","$NF}' /opt/cis-reports/daily/*.csv | \
  grep -E "pass|fail" | sort | uniq -c

Integration with SIEM

# Send CIS-CAT results to syslog for SIEM ingestion
./Assessor-CLI.sh \
  -b benchmarks/CIS_Ubuntu_Linux_22.04_LTS_Benchmark_v1.0.0.xml \
  -p "Level 1 - Server" \
  -r /opt/cis-reports/ \
  -csv

# Forward results to Splunk
cat /opt/cis-reports/*.csv | \
  /opt/splunkforwarder/bin/splunk add oneshot \
  -source cis-cat -sourcetype csv

Troubleshooting

Issue	Solution
Java version mismatch	CIS-CAT Pro requires Java 11+. Run `java -version` and update if needed
Benchmark not found	Verify benchmark XML path and ensure you have the latest benchmarks from CIS WorkBench
Permission denied during scan	Run assessor with root/administrator privileges for full system assessment
Remote session timeout	Increase SSH timeout in `sessions.properties`: `session.timeout=300`
Report generation fails	Check disk space in reports directory and Java heap size: `-Xmx2048m`
Benchmark version mismatch	Download latest benchmarks matching your OS version from CIS WorkBench
Assessment hangs on network checks	Add `--skip-networking` or increase individual check timeout
CSV output encoding issues	Specify UTF-8 encoding: `-D ciscat.report.csv.encoding=UTF-8`